US20060059550A1 - Stateful application firewall - Google Patents

Stateful application firewall Download PDF

Info

Publication number
US20060059550A1
US20060059550A1 US11/222,402 US22240205A US2006059550A1 US 20060059550 A1 US20060059550 A1 US 20060059550A1 US 22240205 A US22240205 A US 22240205A US 2006059550 A1 US2006059550 A1 US 2006059550A1
Authority
US
United States
Prior art keywords
request
url
application server
list
http
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US11/222,402
Other versions
US8161538B2 (en
Inventor
Balas Kausik
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US60941904P priority Critical
Application filed by Cisco Technology Inc filed Critical Cisco Technology Inc
Priority to US11/222,402 priority patent/US8161538B2/en
Assigned to CISCO TECHNOLOGY, INC. reassignment CISCO TECHNOLOGY, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KAUSIK, BALAS NATARAJAN
Publication of US20060059550A1 publication Critical patent/US20060059550A1/en
Application granted granted Critical
Publication of US8161538B2 publication Critical patent/US8161538B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • G06Q20/027Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP] involving a payment switch or gateway
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/102Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for e-commerce

Abstract

A method and system to protect web applications from malicious attacks is described. A stateful means of distinguishing between valid (e.g., harmless) and invalid (e.g., harmful) accesses is provided. A request from a content browser for content from an application server is forwarded by a firewall to the application server if it includes a URL that was previously transmitted from the application server. The firewall performs a security evaluation of the request if the URL of the request was not previously transmitted from the application server.

Description

    RELATED APPLICATION
  • This application claims priority from a provisional application entitled: “STATEFUL APPLICATION FIREWALL”, filed on Sep. 13, 2004, Ser. No. 60/609,419, the entire contents of which is included herein by reference.
  • TECHNICAL FIELD
  • This application relates to protecting web applications from malicious attacks.
  • BACKGROUND
  • Web applications must be accessible to users yet impervious to attack from malicious hackers, or from inadvertent users whose desktop computers have been compromised by worms and viruses.
  • Consider a web application such as online banking that is accessible to a large number of users. The application infrastructure is installed at a data center and encased from the internet by a network firewall. The network firewall disables traffic on all TCP/IP (Transmission Control Protocol/Internet Protocol) ports except for the ports that carry HTTP (HyperText Transfer Protocol) and HTTPS (an HTTP that requires a Secure Sockets Layer) traffic, ports 80 and 443 typically. Malicious attackers may mount attacks via HTTP or HTTPS and the network firewall cannot protect against those. In addition, users with compromised desktops can inadvertently attack the application when they visit it. In either case, the operator of the application must take steps to protect the application from attack.
  • Some of these attacks may be infrastructure attacks. That is, the attacks target vulnerabilities in the infrastructure of the application. For example, the web server running the application may have vulnerabilities potentially subject to attacks. This was the case with recent worms such as CodeRed or Nimda. In other cases, the application itself could have vulnerabilities. For example, requesting a malformed URL (Uniform Resource Locator) of an application could cause the application to become unstable or vulnerable to unauthorized access to confidential information. Protecting the application and/or its infrastructure from these sorts of attacks is the subject of many commercial products such as the ones from Teros, Sanctum and F5. These and other projects form a broad class of products called application firewalls.
  • An application firewall must be able to distinguish between authorized access and unauthorized access, and must be able to distinguish between a valid URL and an invalid URL. Current technology aims to distinguish between valid and invalid URL's by employing a training phase and a protection mode. During the training phase, the system learns a valid range of values of URL's, including parameters and cookie values associated therewith. Subsequently, during the protection mode, any URL that falls outside the learned range is denied. This approach is prone to false positives because legitimate users requesting legitimate URL's may be denied access, since it is impossible to capture the full range of valid URL's in any reasonable training period.
  • HyperText Transfer Protocol (HTTP) is the underlying protocol used by the World Wide Web. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. For example, when a user enters a URL in a browser the browser sends an HTTP command to a Web server directing it to fetch and transmit the requested Web page. HTTP is called a stateless protocol because each command is executed independently, without any knowledge of the commands that came before it.
  • SUMMARY
  • A method and system to protect web applications from malicious attacks is provided. Techniques for an automated classification of URL requests as harmful or harmless are disclosed herein. These techniques are stateful because the context of each request is considered in the classification, and thus, may result in significantly less classification errors. Other features will be apparent from the accompanying drawings and from the detailed description that follows.
  • BRIEF DESCRIPTION OF DRAWINGS
  • Embodiments of the present invention are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:
  • FIG. 1 is a block diagram of a network system of an example embodiment;
  • FIG. 2 is a flow chart of methods according to example embodiments; and
  • FIG. 3 illustrates a diagrammatic representation of a machine in the form of a computer system within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed, according to example embodiments.
  • DETAILED DESCRIPTION
  • In the following detailed description of example embodiments, reference is made to the accompanying drawings which form a part hereof, and in which is shown by way of illustration specific embodiments in which the example method and system may be practiced. It is to be understood that other embodiments may be utilized and structural changes may be made without departing from the scope of this description.
  • A need exists for a stateful means of distinguishing between valid (e.g., harmless) and invalid (e.g., harmful) accesses. A stateful classification may also be referred to as context classification. A stateful classification of a URL generally impacts alone or more future URL's in the same user session, same TCP/IP connection, etc.
  • FIG. 1 illustrates an example network environment 100 in which various example implementations described herein may be applied. The environment 100 includes a content browser 110 connected over a network 120 to a communication node of an application firewall 130. The application firewall 130 has a second communication node that is in turn connected to an application server 140. In an example implementation, the application firewall 130 may reside in the same or different computing device as the application server 140 or be connected to the application server 140 in a distributed computing environment (e.g., via the network 120). In an embodiment, the application firewall is a set of instructions executed by a processor, as explained below.
  • When the content browser 110 makes an HTTP request to the application server 140, the application firewall 130 receives the request and classifies the request as harmful or harmless. Specifically, in an example implementation, the application firewall examines the following attributes of the HTTP request:
  • 1. URL
  • 2. parameters
  • 3. source-IP
  • 4. mime-type
  • 5. cookie
  • 6. headers
  • 7. HTTP-method
  • 8. Body or content
  • The application firewall 130 accepts a configurable set of rules (for simplicity of explanation purposes only, hereinafter referred to as the “attribute rules”) that specify properties of attributes, and policies on how to treat requests or responses that satisfy these rules. The attribute rules associated with the policies are typically configured to protect against malicious behavior. For example, the use of non-ASCII characters in URL names is generally considered outside the HTTP standard specification. Attributes may also be dynamically generated, configured and/or modified as will be described below. Example policies may specify actions such as:
  • 1. Block the HTTP request entirely: In this case, the content browser may receive a response from the application firewall indicating an error condition. The firewall may also log the incident and/or alert the administrator.
  • 2. Allow the HTTP request: In this case, the application firewall forwards the request to the application server, receives the associated response and forwards the response to the content browser.
  • 3. Pause the HTTP request: In this case, the application firewall delays the content browser's request for a predetermined or specified period of time. All further requests on the same connection are also delayed as a result. During the period of the pause, the application firewall preserves the context of all requests that are paused. Pauses are useful to thwart denial-of-service attacks where an attacker may make a large number of requests in a short period of time in an attempt to bring down the application.
  • 4. Redirect the browser to an alternate HTTP request: In this case, the application firewall redirects the user to an alternate request, perhaps one indicating an error message. The alternate request URL is sent to the content browser, and the content browser thence may elect to pursue the alternate request which may be at an entirely different application.
  • 5. Forward the browser to an alternate HTTP request: In this case, the application firewall initiates an alternate request to the application server. For example, the application firewall may determine that the request from the content browser is harmful, and may elect to terminate the user session with the application server by requesting the logoff URL.
  • In the foregoing example policies, actions (3) and (5) may be considered stateful because the classification of one request may impact all future requests in the same connection or session.
  • In one embodiment, the application firewall 130 may parse every response from the application server 140 to accumulate a list of URL's that are embedded in the content being sent from the application server 140. All such embedded URL's may be deemed “harmless” and may be accumulated in a “dynamic whitelist” attribute rule.
  • In an embodiment, if a user received a reference to a URL embedded in content sent from the application server 140, the user may request that same URL in an HTTP request, which will be allowed by the application firewall 130. The stateful nature of the foregoing enables a simplified configuration of the application firewall 130 in that its policies need only tackle two cases: (1) patently malicious requests that are outside the specification and are always to be denied; (2) requests that were embedded in outbound content and are always to be allowed as inbound requests later in the same session.
  • FIG. 2 illustrates methods of the present invention. At step 200 the firewall 130 receives a request from a content browser 110 for content from the application server 140. The firewall, at step 210, compares the request to a list of Uniform Resource Locators (URL's) previously sent from the application server. If there is a match, the firewall forwards the request to the application server. If there is not a match to the list, a security evaluation of the request is performed at step 220.
  • Based upon the security evaluation, the firewall can block the request from the application server at step 240, forward the request to the application server at step 250, pause the request for a predetermined time at step 260, or redirect the request to a different location at step 270.
  • Those skilled in the art will understand that there are other attributes of requests to consider and other actions that may be taken by the application firewall in disposing of requests. Nevertheless, the basic teaching of stateful inspection can considerably improve the accuracy of classification of harmful and harmless attacks, as well as protect against denial-of-service attacks by enabling the classification of a request to impact all future requests in the same session.
  • The embodiments described herein may be implemented in an operating environment comprising software installed on a computer, in hardware, or in a combination of software and hardware. The software and/or hardware would typically include some type of computer-readable media which can store data and logic instructions that are accessible by the computer or the processing logic within the hardware. Such media might include, without limitation, hard disks, floppy disks, flash memory cards, digital video disks, random access memories (RAMs), read only memories (ROMs), and the like.
  • FIG. 3 shows a diagrammatic representation of machine in the example form of a computer system 300 within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed. That is, the computer system 300 can be used in embodiments for the application firewall 130 and/or the application server 140.
  • The example computer system 300 includes a processor 302 (e.g., a central processing unit (CPU), a graphics processing unit (GPU) or both), a main memory 304 and a static memory 306, which communicate with each other via a bus 308. The computer system 300 may further include a video display unit 310 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)). The computer system 300 can also include an alphanumeric input device 312 (e.g., a keyboard), a user interface (UI) navigation device 314 (e.g., a mouse), a disk drive unit 316, a signal generation device 318 (e.g., a speaker) and a network interface device 320.
  • The disk drive unit 316 includes a machine-readable medium 322 on which is stored one or more sets of instructions and data structures (e.g., software 324) embodying or utilized by any one or more of the methodologies or functions described herein. The software 324 may also reside, completely or at least partially, within the main memory 304 and/or within the processor 302 during execution thereof by the computer system 300, the main memory 304 and the processor 302 also constituting machine-readable media.
  • The software 324 may further be transmitted or received over a network 326 via the network interface device 320 utilizing any one of a number of well-known transfer protocols (e.g., HTTP).
  • While the machine-readable medium 322 is shown in an example embodiment to be a single medium, the term “machine-readable medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The term “machine-readable medium” shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that causes the machine to perform any one or more of the methodologies of the present invention, or that is capable of storing, encoding or carrying data structures utilized by or associated with such a set of instructions. The term “machine-readable medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical and magnetic media, and carrier wave signals. Although embodiments have been described with reference to specific example embodiments, it will be evident that various modifications and changes may be made to these embodiments without departing from the broader spirit and scope of the invention. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.

Claims (20)

1. A method of securing a network system comprising:
receiving a request for content from an application server by a remote browser;
at an application firewall located between the application server and the remote browser comparing the request to a list of Uniform Resource Locators (URL's) previously sent from the application server;
processing the request if a URL of the request is included in the list; and
performing a security evaluation of the request if the URL of the request is not included in the list.
2. The method of claim 1 wherein performing the security evaluation comprises evaluating attributes of the request.
3. The method of claim 2 wherein based upon the security evaluation the request is either blocked from the application server, forwarded to the application server, paused for a predetermined time, or redirected to a different location.
4. A machine-readable medium embodying instructions which, when executed by a machine, cause the machine to perform the method of claim 1.
5. A method of securing an application server comprising:
maintaining a list of Uniform Resource Locators (URL's) sent from the application server;
receiving a Hyper Text Transfer Protocol (HTTP) request from a remote browser to access the application server;
at an application firewall located between the application server and the remote browser comparing the HTTP request to the list of URL's; and
forwarding the HTTP request to the application server if the HTTP request contains a URL matching a URL of the list.
6. The method of claim 5 which further comprises performing a security evaluation of the HTTP request if the URL of the HTTP does not match a URL of the list.
7. The method of claim 6 wherein performing the security evaluation comprises evaluating attributes of the request.
8. The method of claim 7 wherein based upon the security evaluation the request is either blocked from the application server, forwarded to the application server, paused for a predetermined time, or redirected to a different location.
9. A machine-readable medium embodying instructions which, when executed by a machine, cause the machine to perform the method of claim 5.
10. An application firewall comprising:
a processor coupled to communicate with a content browser and coupled to communicate with an application server, wherein the processor maintains a list of Uniform Resource Locators (URL's) sent from the application server, compares an HTTP request communicated from the content browser to the list of URL's, and forwards the HTTP request to the application server if the HTTP request contains a URL matching a URL of the list.
11. The application firewall of claim 10 wherein the processor is shared with the application server.
12. The application firewall of claim 10 wherein the processor further performs a security evaluation of the HTTP request if the URL of the HTTP does not match a URL of the list, wherein the security evaluation comprises evaluating attributes of the request.
13. A method of securing a network system comprising:
receiving a request for content from an application server;
processing the request if a URL of the request was previously transmitted from the application server; and
performing a security evaluation of the request if the URL of the request was not previously transmitted from the application server.
14. The method of claim 13 wherein performing the security evaluation comprises evaluating attributes of the request, and either blocks the request from the application server, forwards the request to the application server, pauses the request for a predetermined time, or redirects the request to a different location.
15. The method of claim 14 wherein the attributes of the request comprise at least one of a URL, parameters, source-IP, mime-type, cookie, headers, HTTP-method and a body.
16. A machine-readable medium embodying instructions which, when executed by a machine, cause the machine to perform the method of claim 13.
17. A server comprising:
a network interface to interface the server to a network; and
a processor to:
maintain a list of Uniform Resource Locators (URL's) sent from the application server;
receive a Hyper Text Transfer Protocol (HTTP) request from a remote browser to access the application server;
at an application firewall located between the application server and the remote browser, compare the HTTP request to the list of URL's; and
forward the HTTP request to the application server if the HTTP request contains a URL matching a URL of the list.
18. The server of claim 17 wherein a security evaluation of the HTTP request is performed if the URL of the HTTP does not match a URL of the list.
19. The server of claim 18 wherein performing the security evaluation comprises evaluating attributes of the request.
20. An application firewall comprising:
means for receiving a request for content from an application server;
means for comparing the request to a list of Uniform Resource Locators (URL's) previously sent from the application server;
means for processing the request if a URL of the request is included in the list; and
means for performing a security evaluation of the request if the URL of the request is not included in the list.
US11/222,402 2004-09-13 2005-09-08 Stateful application firewall Active 2029-03-07 US8161538B2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US60941904P true 2004-09-13 2004-09-13
US11/222,402 US8161538B2 (en) 2004-09-13 2005-09-08 Stateful application firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/222,402 US8161538B2 (en) 2004-09-13 2005-09-08 Stateful application firewall

Publications (2)

Publication Number Publication Date
US20060059550A1 true US20060059550A1 (en) 2006-03-16
US8161538B2 US8161538B2 (en) 2012-04-17

Family

ID=36035591

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/222,402 Active 2029-03-07 US8161538B2 (en) 2004-09-13 2005-09-08 Stateful application firewall

Country Status (1)

Country Link
US (1) US8161538B2 (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060064469A1 (en) * 2004-09-23 2006-03-23 Cisco Technology, Inc. System and method for URL filtering in a firewall
US20070261110A1 (en) * 2006-05-02 2007-11-08 Cisco Technology, Inc., A California Corporation Packet firewalls of particular use in packet switching devices
US7761912B2 (en) 2006-06-06 2010-07-20 Microsoft Corporation Reputation driven firewall
US20100199345A1 (en) * 2009-02-04 2010-08-05 Breach Security, Inc. Method and System for Providing Remote Protection of Web Servers
US20100281539A1 (en) * 2009-04-29 2010-11-04 Juniper Networks, Inc. Detecting malicious network software agents
US20110055921A1 (en) * 2009-09-03 2011-03-03 Juniper Networks, Inc. Protecting against distributed network flood attacks
KR101024006B1 (en) * 2009-05-25 2011-03-29 (주)트리니티소프트 A collecting method white URL in web firewall and web firewall having a function of white URL collecting
US8161538B2 (en) * 2004-09-13 2012-04-17 Cisco Technology, Inc. Stateful application firewall
US20120124372A1 (en) * 2010-10-13 2012-05-17 Akamai Technologies, Inc. Protecting Websites and Website Users By Obscuring URLs
US8340090B1 (en) 2007-03-08 2012-12-25 Cisco Technology, Inc. Interconnecting forwarding contexts using u-turn ports
US8468598B2 (en) 2010-08-16 2013-06-18 Sap Ag Password protection techniques using false passwords
EP2608481A1 (en) * 2011-12-20 2013-06-26 Sap Ag Deception-based network security using false positive responses to unauthorized access requests
CN104079583A (en) * 2014-07-17 2014-10-01 南京铱迅信息技术有限公司 Website protection method based on character conversion from server side to client side
US20150096049A1 (en) * 2005-02-18 2015-04-02 Protegrity Corporation Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior
US9231913B1 (en) * 2014-02-25 2016-01-05 Symantec Corporation Techniques for secure browsing
US20160080401A1 (en) * 2014-09-12 2016-03-17 Sangfor Technologies Company Limited Method and system for detecting unauthorized access attack
US20170244737A1 (en) * 2016-02-23 2017-08-24 Zenedge, Inc. Analyzing Web Application Behavior to Detect Malicious Requests

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9407603B2 (en) * 2010-06-25 2016-08-02 Salesforce.Com, Inc. Methods and systems for providing context-based outbound processing application firewalls
US9350705B2 (en) 2010-06-25 2016-05-24 Salesforce.Com, Inc. Methods and systems for providing a token-based application firewall correlation
US9710865B1 (en) 2011-08-15 2017-07-18 Amazon Technologies, Inc. Coordinating distributed order execution
CN109474560A (en) * 2017-09-07 2019-03-15 中国电信股份有限公司 Control method, device and the computer readable storage medium of network access

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5706507A (en) * 1995-07-05 1998-01-06 International Business Machines Corporation System and method for controlling access to data located on a content server
US5870562A (en) * 1997-03-24 1999-02-09 Pfn, Inc. Universal domain routing and publication control system
US5951643A (en) * 1997-10-06 1999-09-14 Ncr Corporation Mechanism for dependably organizing and managing information for web synchronization and tracking among multiple browsers
US6092194A (en) * 1996-11-08 2000-07-18 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6141759A (en) * 1997-12-10 2000-10-31 Bmc Software, Inc. System and architecture for distributing, monitoring, and managing information requests on a computer network
US6279001B1 (en) * 1998-05-29 2001-08-21 Webspective Software, Inc. Web service
US6286001B1 (en) * 1999-02-24 2001-09-04 Doodlebug Online, Inc. System and method for authorizing access to data on content servers in a distributed network
US20020065912A1 (en) * 2000-11-30 2002-05-30 Catchpole Lawrence W. Web session collaboration
US20030023873A1 (en) * 2001-03-16 2003-01-30 Yuval Ben-Itzhak Application-layer security method and system
US6571256B1 (en) * 2000-02-18 2003-05-27 Thekidsconnection.Com, Inc. Method and apparatus for providing pre-screened content
US6640307B2 (en) * 1998-02-17 2003-10-28 Secure Computing Corporation System and method for controlling access to documents stored on an internal network
US20030212756A1 (en) * 2002-03-28 2003-11-13 Seiko Epson Corporation Download management system
US20040243847A1 (en) * 2003-03-03 2004-12-02 Way Gregory G. Method for rejecting SPAM email and for authenticating source addresses in email servers
US6947404B1 (en) * 2000-11-06 2005-09-20 Nokia Corporation Automatic WAP login
US20060288220A1 (en) * 2005-05-02 2006-12-21 Whitehat Security, Inc. In-line website securing system with HTML processor and link verification
US20070022474A1 (en) * 2005-07-21 2007-01-25 Mistletoe Technologies, Inc. Portable firewall
US7260840B2 (en) * 2003-06-06 2007-08-21 Microsoft Corporation Multi-layer based method for implementing network firewalls
US7707628B2 (en) * 2004-08-04 2010-04-27 Fuji Xerox Co., Ltd. Network system, internal server, terminal device, storage medium and packet relay method
US7934253B2 (en) * 2006-07-20 2011-04-26 Trustwave Holdings, Inc. System and method of securing web applications across an enterprise
US7941830B1 (en) * 2006-11-01 2011-05-10 Trend Micro Incorporated Authentication protocol for network security services

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8161538B2 (en) * 2004-09-13 2012-04-17 Cisco Technology, Inc. Stateful application firewall

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5706507A (en) * 1995-07-05 1998-01-06 International Business Machines Corporation System and method for controlling access to data located on a content server
US6092194A (en) * 1996-11-08 2000-07-18 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6804780B1 (en) * 1996-11-08 2004-10-12 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US5870562A (en) * 1997-03-24 1999-02-09 Pfn, Inc. Universal domain routing and publication control system
US5951643A (en) * 1997-10-06 1999-09-14 Ncr Corporation Mechanism for dependably organizing and managing information for web synchronization and tracking among multiple browsers
US6141759A (en) * 1997-12-10 2000-10-31 Bmc Software, Inc. System and architecture for distributing, monitoring, and managing information requests on a computer network
US6640307B2 (en) * 1998-02-17 2003-10-28 Secure Computing Corporation System and method for controlling access to documents stored on an internal network
US6279001B1 (en) * 1998-05-29 2001-08-21 Webspective Software, Inc. Web service
US6286001B1 (en) * 1999-02-24 2001-09-04 Doodlebug Online, Inc. System and method for authorizing access to data on content servers in a distributed network
US6571256B1 (en) * 2000-02-18 2003-05-27 Thekidsconnection.Com, Inc. Method and apparatus for providing pre-screened content
US6947404B1 (en) * 2000-11-06 2005-09-20 Nokia Corporation Automatic WAP login
US20020065912A1 (en) * 2000-11-30 2002-05-30 Catchpole Lawrence W. Web session collaboration
US20030023873A1 (en) * 2001-03-16 2003-01-30 Yuval Ben-Itzhak Application-layer security method and system
US20030212756A1 (en) * 2002-03-28 2003-11-13 Seiko Epson Corporation Download management system
US20040243847A1 (en) * 2003-03-03 2004-12-02 Way Gregory G. Method for rejecting SPAM email and for authenticating source addresses in email servers
US7260840B2 (en) * 2003-06-06 2007-08-21 Microsoft Corporation Multi-layer based method for implementing network firewalls
US7707628B2 (en) * 2004-08-04 2010-04-27 Fuji Xerox Co., Ltd. Network system, internal server, terminal device, storage medium and packet relay method
US20060288220A1 (en) * 2005-05-02 2006-12-21 Whitehat Security, Inc. In-line website securing system with HTML processor and link verification
US20070022474A1 (en) * 2005-07-21 2007-01-25 Mistletoe Technologies, Inc. Portable firewall
US7934253B2 (en) * 2006-07-20 2011-04-26 Trustwave Holdings, Inc. System and method of securing web applications across an enterprise
US7941830B1 (en) * 2006-11-01 2011-05-10 Trend Micro Incorporated Authentication protocol for network security services

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8161538B2 (en) * 2004-09-13 2012-04-17 Cisco Technology, Inc. Stateful application firewall
US20060064469A1 (en) * 2004-09-23 2006-03-23 Cisco Technology, Inc. System and method for URL filtering in a firewall
US10552622B2 (en) * 2005-02-18 2020-02-04 Protegrity Corporation Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior
US20150096049A1 (en) * 2005-02-18 2015-04-02 Protegrity Corporation Multi-layer system for privacy enforcement and monitoring of suspicious data access behavior
US20070261110A1 (en) * 2006-05-02 2007-11-08 Cisco Technology, Inc., A California Corporation Packet firewalls of particular use in packet switching devices
US8024787B2 (en) 2006-05-02 2011-09-20 Cisco Technology, Inc. Packet firewalls of particular use in packet switching devices
US7761912B2 (en) 2006-06-06 2010-07-20 Microsoft Corporation Reputation driven firewall
US8340090B1 (en) 2007-03-08 2012-12-25 Cisco Technology, Inc. Interconnecting forwarding contexts using u-turn ports
US20100199345A1 (en) * 2009-02-04 2010-08-05 Breach Security, Inc. Method and System for Providing Remote Protection of Web Servers
WO2010091186A3 (en) * 2009-02-04 2010-12-02 Breach Security, Inc. Method and system for providing remote protection of web servers
WO2010091186A2 (en) * 2009-02-04 2010-08-12 Breach Security, Inc. Method and system for providing remote protection of web servers
US20100281539A1 (en) * 2009-04-29 2010-11-04 Juniper Networks, Inc. Detecting malicious network software agents
US8914878B2 (en) * 2009-04-29 2014-12-16 Juniper Networks, Inc. Detecting malicious network software agents
US9344445B2 (en) 2009-04-29 2016-05-17 Juniper Networks, Inc. Detecting malicious network software agents
KR101024006B1 (en) * 2009-05-25 2011-03-29 (주)트리니티소프트 A collecting method white URL in web firewall and web firewall having a function of white URL collecting
US8789173B2 (en) 2009-09-03 2014-07-22 Juniper Networks, Inc. Protecting against distributed network flood attacks
US20110055921A1 (en) * 2009-09-03 2011-03-03 Juniper Networks, Inc. Protecting against distributed network flood attacks
US8468598B2 (en) 2010-08-16 2013-06-18 Sap Ag Password protection techniques using false passwords
CN103229181A (en) * 2010-10-13 2013-07-31 阿卡麦科技公司 Protecting websites and website users by obscuring URLs
US20120124372A1 (en) * 2010-10-13 2012-05-17 Akamai Technologies, Inc. Protecting Websites and Website Users By Obscuring URLs
US8925080B2 (en) 2011-12-20 2014-12-30 Sap Se Deception-based network security using false positive responses to unauthorized access requests
EP2608481A1 (en) * 2011-12-20 2013-06-26 Sap Ag Deception-based network security using false positive responses to unauthorized access requests
US9231913B1 (en) * 2014-02-25 2016-01-05 Symantec Corporation Techniques for secure browsing
CN104079583A (en) * 2014-07-17 2014-10-01 南京铱迅信息技术有限公司 Website protection method based on character conversion from server side to client side
US20160080401A1 (en) * 2014-09-12 2016-03-17 Sangfor Technologies Company Limited Method and system for detecting unauthorized access attack
US9800594B2 (en) * 2014-09-12 2017-10-24 Sangfor Technologies Company Limited Method and system for detecting unauthorized access attack
US20170244737A1 (en) * 2016-02-23 2017-08-24 Zenedge, Inc. Analyzing Web Application Behavior to Detect Malicious Requests
US10652254B2 (en) * 2016-02-23 2020-05-12 Zenedge, Inc. Analyzing web application behavior to detect malicious requests

Also Published As

Publication number Publication date
US8161538B2 (en) 2012-04-17

Similar Documents

Publication Publication Date Title
US10621263B2 (en) Internet-based proxy service to limit internet visitor connection speed
US10608983B2 (en) Registering for internet-based proxy services
US9967271B2 (en) Method and system for detecting restricted content associated with retrieved content
US10068091B1 (en) System and method for malware containment
US9762543B2 (en) Using DNS communications to filter domain names
US10200384B1 (en) Distributed systems and methods for automatically detecting unknown bots and botnets
US9306964B2 (en) Using trust profiles for network breach detection
US20190354709A1 (en) Enforcement of same origin policy for sensitive data
US9942250B2 (en) Network appliance for dynamic protection from risky network activities
US9660960B2 (en) Real-time reconfigurable web application firewall for a distributed platform
US9413785B2 (en) System and method for interlocking a host and a gateway
JP5714078B2 (en) Authentication for distributed secure content management systems
JP2016053979A (en) System and method for local protection against malicious software
JP5886422B2 (en) System, apparatus, program, and method for protocol fingerprint acquisition and evaluation correlation
US10237286B2 (en) Content delivery network protection from malware and data leakage
US10212173B2 (en) Deterministic reproduction of client/server computer state or output sent to one or more client computers
US10868826B2 (en) Secure browsing via a transparent network proxy
EP2608481B1 (en) Deception-based network security using false positive responses to unauthorized access requests
US8087082B2 (en) Apparatus for filtering server responses
US8370407B1 (en) Systems providing a network resource address reputation service
US8584234B1 (en) Secure network cache content
US8561177B1 (en) Systems and methods for detecting communication channels of bots
EP2774070B1 (en) System and method for detecting a malicious command and control channel
US10803005B2 (en) Systems and methods for enforcing policies in the discovery of anonymizing proxy communications
US9055093B2 (en) Method, system and computer program product for detecting at least one of security threats and undesirable computer files

Legal Events

Date Code Title Description
AS Assignment

Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KAUSIK, BALAS NATARAJAN;REEL/FRAME:016977/0227

Effective date: 20050901

STCF Information on status: patent grant

Free format text: PATENTED CASE

CC Certificate of correction
FPAY Fee payment

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8